Persistent Cross-Site Scripting on redacted worth $2,000

This is my second write-up, but this time again I am not sharing any technical one. In this report, You will see how a single user of redacted ORG can affect the each and every member of ORG including admins etc from XSS Vulnerability. The target website was a CRM.I reported this Vulnerability to redacted 3 years ago and got rewarded of $2000. Will share some technical Vulnerabilities very soon :)

So I got an invitation on HackerOne to Pentest redacted web services, I start Pentesting. I was looking for XSS because as you all know CRM based on Users and Admins, In case if the user-initiated XSS attack that affects admins and all users that will be High-level Cross-Site Scripting. So I was looking Cross-Site Scripting Vulnerability that will be initiated by the user.

How I find Persistent Cross-Site Scripting on redacted?

I went to the Library functionality of redacted, and create a library with XSS payload like “><script>alert(1)</script>#”><img src=”x” onerror=prompt(1);> but no luck. I tried multiple payloads in every field but every time the response is in plaintext.

Why am I not expert in Javascript?

I was moving to the next functionality of redacted because I was not able to bypass the XSS filter, At the same time, I saw the tags Options in Libraries. Where we can create custom tags. I create a custom tag with <img src xss> payload and boom!

This time response is different. XSS is still not triggered yet but there is a broken image in the response. So I analyze the output payload in source code and I create multiple payloads according to the response but no luck again. I am not much expert in Javascript that’s why I searched for the payloads and polyglots to bypass this type of XSS filter then I found a payload /*–>]]>%>?></object></script></title></textarea></noscript</style></xmp>’-/”/-alert(1)//><img src=1 onerror=alert(1)>’ and i use this payload to create library tags.

BOOM ….. BOOOOM …..BOOOOOOOOOOOOOM !!!!

Celebration Time :)

XSS Trigger Successfully, and this attack is initiated by a User that can affect all Admins and all Users of the ORG.So redacted rewarded me $1500 and $500 bonus, also my report was selected as one of the best reports of August and rewarded $500 bonus!